Blue Team Tools

Start Course

Description

Blue Teams have one of the most challenging jobs in the world, finding the bad actor needle in the mound of needles. Attacker techniques are continually evolving, and the threat surface and required data for analysis is constantly increasing. In this course, Blue Team Tools: Defense against Adversary Activity using MITRE Techniques, you'll cover how to utilize Blue Team Tools to protect, detect, and respond against targeted threat actor techniques in an enterprise environment. First, you'll learn the purpose and origin of Blue Team Tools and the functions that they fulfill in modern cybersecurity organizations. Next, you'll leverage MITRE ATT&CK and Shield to get a 360-degree view of attack scenarios and the data and capabilities you need to stop them. Finally, you'll analyze your organization's tooling gaps and how Blue Team Tools can fill them. When you're finished with this course, you'll have the skills and knowledge to leverage the Blue Team Tools skill path to enable your security organization to evolve their capabilities as fast as the threat actors you are defending against.

Start Course

Description

Finding undetected threats in your network through proactive network analysis requires the right tools. In this course, Network Analysis with Arkime, you’ll learn how to utilize Arkime to detect anomalous or malicious network traffic in an enterprise environment. First, you'll gain insight into how to detect common malware delivery patterns. Next, you’ll learn how to use Arkime to identify malware command and control. Finally, you’ll utilize the many features of Arkime to identify data exfiltration. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques using Arkime.

Start Course

Description

Cyber attacks are hitting our networks daily, and some of them have become very advanced. Traditional firewalls can be used in order to help the process of detecting and blocking them. In this course, Network Analysis with pfSense, you’ll cover how to utilize pfSense to protect and detect against common attack and exfiltration techniques in an enterprise environment. First, you’ll demonstrate how to setup a decoy VPN server using pfSense to detect compromised accounts. Next, you’ll operate pfSense to block the use of alternate protocols by blocking unnecessary ports and protocols. Finally, you’ll analyze known anonymity and C2 networks and block them using pfSense’s DNS services. When you’re finished with this course, you’ll have the skills and knowledge to block and detect these techniques External Remove Services T1133, Exfiltration Over Alternative Protocol T1048, and Proxy: Multi-hop Proxy T1090.003 using pfSense.

Start Course

Description

Though many cyber attack techniques can be effectively and heuristically identified by analyzing the endpoint logs, there are surprisingly few capabilities that focus solely on parsing windows logs and OS data and providing a platform to perform advanced statistical analysis. In this course, OS Analysis with HELK, you’ll cover how to utilize Hunt ELK to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll see the gap that HELK fills with Windows event log analysis. Next, you'll explore how to operate the advanced hunt features provided by HELK. Finally, you’ll learn how to analyze a live dataset to hunt for adversary activity. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Kerberoasting T1208, Bits Jobs T1197, and indicator removal on hosts T1070 using HELK.

Start Course

Description

Windows Registry analysis is a fundamental step during any incident response scenario, as it provides conclusive evidence needed to support or deny any suspicious activity on a Windows system. In this course, you’ll cover how to utilize RegRipper to detect adversary endpoint attack techniques in an enterprise environment. First, you’ll demonstrate the RegRipper plugins which are a unique approach for Registry analysis. Next, you’ll operate RegRipper to run against various registry hives using a custom set of plugins. Finally, you’ll analyze Windows Registry to detect adversary activity on a Windows host. When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Create or Modify System Process (T1543), Boot or Logon Autostart Execution (T1547), Exfiltration Over Physical Medium (T1052), using RegRipper.

Start Course

Description

Detecting process-level and file-level attacks can be challenging. Additionally, many tools are "alert factories" that don't have the ability to remediate in-progress attacks. Luckily, Wazuh solves these problems! In this course, OS Analysis with Wazuh, you'll cover how to utilize Wazuh to respond to data exfiltration in an enterprise environment. First, you'll create a rule to detect malicious filesystem operations. Next, you'll uncover a rootkit through Wazuh by using a Python script. Finally, you'll leverage Wazuh's Active Response functionality to automatically quarantine the host (and prevent it from exfiltrating data). In this course, you will simulate all attacks through Merlin (a popular C2 service) so we can emulate real-world scenarios! (No prior Merlin experience is needed). When you're finished with this course, you'll have the skills and knowledge to detect these techniques: Scheduled Task/Job (T1053), Hijack Execution Flow (T1574), and Exfiltration Over C2 Channel (T1041).

Start Course

Description

In this course, OS analysis with Volatility, you will cover how to utilize Volatility to identify and detect evidence of suspected compromise such as malicious commands and programs executed on a host computer system. You will learn how to extract the command line history from the volatile memory. You will also learn how to initiate an investigation of malicious programs and how to defend against malicious program execution. When you are finished with the course, you will have the skills and knowledge to aid in mitigating technique T1055 and 1059.

Start Course

Description

It is impossible to manually identify all dangerous configurations, given how cloud services are exploding in numbers and complexity. In this course, Cloud Infrastructure Analysis with Scout Suite, you will gain the ability to identify cloud configuration issues with Scout Suite. First, you will learn how to create a vulnerable cloud environment. Next, you will discover how to install Scout Suite with minimal privileges. Finally, you will explore how to analyze the vulnerable cloud environment with Scout Suite. When you are finished with this course, you will have the skills and knowledge of Scout Suite needed to analyze cloud deployments for security issues.

Start Course

Description

Ensuring your cloud environments are securely configured is an important element in developing a continuous cloud security program. In this course, Cloud Infrastructure Analysis with Prowler, you will see how to utilize Prowler to identify and detect security misconfigurations in the cloud in an enterprise environment. You will learn how to audit your cloud security accounts protecting your cloud environment. You will also get to see how to build a decoy network and how to analyze your cloud configurations for exposed services. When you are finished with this course, you will have the skills and knowledge to aid in mitigating technique T1526 using Prowler.

Start Course

Description

“Common” Kubernetes (K8s) hardening suggests a focus on the control plane. But what if a cluster could be backdoored through the kubelet? In this course, Container Infrastructure Analysis with kube-hunter, we will use kube-hunter to investigate a K8s attack. First, you will use kube-hunter to enumerate security weaknesses in a K8s cluster. Second, you’ll use kube-hunter findings (i.e., a discovered kubelet endpoint) to investigate privilege escalation. Third, you’ll leverage the privilege escalation findings to detect a persistence method (i.e., a malicious container image) through Trivy . Fourth, you’ll harden K8s so the aforementioned attack can’t occur again! When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: System Services (T1569), Exploitation for Privilege Escalation (T1068), and Implant Container Image (T1525).

Start Course

Description

In this course, we will focus on automating docker image security scans:

1. use Trivy (and a Github Action) to scan Dockerfiles within Github
2. use Trivy to uncover a malicious image within a Docker registry
3. perform an analysis on the malicious image to uncover the source of compromise

When you’re finished with this course, you’ll have the skills and knowledge to detect these techniques: Supply Chain Compromise (T1195), Implant Container Image (T1525).

Start Course

Description

In this course, File Analysis with TruffleHog you will cover how to utilize TruffleHog to identify and detect sensitive data such as credentials accidentally committed to source code repository environments. You will discover how to audit your source environments including recent and historic source code commits. You will learn how to place decoy credentials in source code repositories and analyze your repositories for exposed credentials. When you are finished with this course, you will have the skills and knowledge to aid in mitigating technique T1552 using TruffleHog.